Magniber Ransomware Campaign Targets Home Users using JavaScript

A new campaign is targeting home users using impersonated software updates leveraging JavaScript to deliver the Magniber Ransomware.

Posted on October 14, 2022
Lee Clark, Cyber Threat Intelligence Analyst & Writer

A new campaign is targeting home users using impersonated software updates leveraging JavaScript to deliver the Magniber Ransomware.

Context

On October 13, 2022, HP security researchers reported the technical details of a current campaign leveraging JavaScript files impersonating legitimate Windows Security updates to infect home users with the single-client Magniber ransomware.

Technical Details

HP researchers assessed that:

Home users were the likely target of this malware based on the supported operating system versions and UAC bypass.
The attackers used clever techniques to evade protection and detection mechanisms. Most of the infection chain is “fileless”, meaning the malware only resides in memory, reducing the chances of it being detected.
Magniber also bypasses detection techniques that rely on user-mode hooks because it uses syscalls instead of standard Windows API libraries.
With the UAC bypass, the malware deletes the infected system’s shadow copy files and disables backup and recovery features, preventing the victim from recovering their data using Windows tools.

Mitigation Options

HP researchers provided the following defensive recommendations:

Follow the principle of least privilege by only using administrator accounts if you really need to. Many home users have administrator privileges but rarely need them.
Download software updates from trusted sources. The campaign depends on tricking people into opening fake software updates. Only download updates from trustworthy sources such as Windows Update and official software vendor websites.
Back up your data regularly. Backing up your data will give you peace of mind should the worst happen.

IOCs

HP researchers provided the following indicators of compromise (IOCs):

Indicator	Type	Notes
934cfeb5ee3d2ba49831d76dffb1a2658326e1cd90b50779d6670eb2fbdc7ed1	SHA256	Reference Magniber JavaScript sample used for our analysis
6155453a58b0ba360fd18a32d838c4452fec374c364824b50447500c8fd12e80	SHA256	Magniber JavaScript files
5b2a5ac50977f41ac27590395bb89c1afd553e58f2979b680d545bff1530a17b	SHA256	Magniber JavaScript files
79590d91e9131918df458221e8fcb9c5e33d0200f05f9704dcf88167a5515b3f	SHA256	Magniber JavaScript files
7064eab88837bc68b8c5076300170cd73dbea046c9594b588779082396dbfe4c	SHA256	Magniber JavaScript files
a292ff42e0e1b58b13c867d2c94da2a5d34caa2e9c30b63610f7e12be5e7d3d9	SHA256	Magniber JavaScript files
dfa32d8ed7c429b020c0581148a55bc752c35834d7a2b1bae886f2b436285c94	SHA256	Magniber JavaScript files
c1d1402226179c66570d66290dff2238b6a9f918c81267a61d58f4807f0d911c	SHA256	Magniber JavaScript files
56fb0d5e2e216f2b4d9846517d9ed23b69fba4f19f2bad71cdce47d9081642eb	SHA256	Magniber JavaScript files
92ec900b0aa0f8a335cf63d4f313729da2831ffc7d15985adf2d98f2c85c3783	SHA256	Magniber JavaScript files
c7729a7817a3d63f71d6c9066bd87192d07992ae57fc3d3e6d0e67c5ab9fb213	SHA256	Magniber JavaScript files
9d665f87440c22e3ae209308e3712a83a67932643be019e18b1ae00dc4ab8cbd	SHA256	Magniber JavaScript files
b12461bdd88bb2a7f56d11324272ae2a766d560371b2725be6f9d3175fb32f8c	SHA256	Magniber JavaScript files
abeec5267f6eb9fc9f01f4688a53e83c87898845767b8cd8599c75dbce1766a8	SHA256	Magniber JavaScript files
aeee31c3649724686cb9ad17fe1ee2b70b1ad1b6cd77cb8b1997aa6e75d49cc5	SHA256	Magniber JavaScript files
1eba630a870ce1aa840219d77e280cfd05d3d5e5cdea6f382c1c2b8b14ddf04d	SHA256	Magniber JavaScript files
54a5b06060639a483a8f6c80c8f095fb41e3eb5e7c02c3ad4ba29ee3a9ed7aab	SHA256	Magniber JavaScript files
76c012f134e81138fb37ac3638488f309662efcc9bb4011ff8e54869f26bb119	SHA256	Magniber JavaScript files
56d301fe7a6b1a9e21898162b0dada9ff12878c539591052919fabcc36d28541	SHA256	Magniber JavaScript files
4936cf896d0e76d6336d07cc14fbe8a99fbe10ad3e682dbc12fdfe7070fd1b24	SHA256	Magniber JavaScript files
6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c	SHA256	Magniber JavaScript files
05cf26eaea577417804075a2458ac63f58a56b7612653d3a4c2ce8fa752bd418	SHA256	Magniber JavaScript files
266f930572d3006c36ba7e97b4ffed107827decd7738a58c218e1ae5450fbe95	SHA256	Magniber JavaScript files
9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6	SHA256	Magniber JavaScript files
98d96f56deaec6f0324126fcdd79fd8854d52ac2996d223d0cb0ab4cff13ff7c	SHA256	Magniber JavaScript files
0c5956b7f252408db7e7b0195bb5419ad3b8daa45ec1944c44e3ec1cca51920f	SHA256	Magniber JavaScript files
c4f9dbff435d873b4e8ecbab8c1b7d2dbdb969ac75af4b1d325e06eb4e51b3ad	SHA256	Magniber JavaScript files
5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34	SHA256	Magniber JavaScript files
d0375fc9cbb564fb18e0afea926c7faf50464b9afb329913dd5486c7cbb36e2e	SHA256	Magniber JavaScript files
ad89fb8819f98e38cddf6135004e1d93e8c8e4cba681ba16d408c4d69317eb47	SHA256	Magniber JavaScript files
99f0e7f06831c6283f5f4dc261a7bcbe4109b4a6717b534c816ca65cd2f05dc4	SHA256	Magniber JavaScript files
b81f76bd5c6e66b9b3a4f2828e58d557091475bed656c9a8d13c8c0e4b7f3936	SHA256	Magniber JavaScript files
c6f1da2490fe78b1f281a98c32d6fa88d675598e658d4e660274047e36f1b189	SHA256	Magniber JavaScript files
dd30688a0e5ac08fc547f44b60f13ef664654c9a8977f7a5f8f619b08c09620b	SHA256	Magniber JavaScript files
c0bf9153ce1641791b357fdb5c2c596fbbf15991a86f510cc444bdb477574d44	SHA256	Magniber JavaScript files
bf50794c33eebc9dc2ce3902fe29f683a37da50de3654a2775baa74d0bbd1188	SHA256	Magniber JavaScript files
b8e76ad7c7857d9985b15dcd064664d198db7201cb9eb6a0e53d81b6002f7d29	SHA256	Magniber JavaScript files
cc1ce8c687450b082dd19a6c5d868f5798e52422172f91ee4b70cb5ffd9f6fcd	SHA256	Magniber JavaScript files
a587172f1bbe665cdfc0cbcec54e72d8b9048c77f344ba5076a17fbf620597de	SHA256	Magniber JavaScript files
c4560eee4b02dc0ef087e48848cc83b270068d167f613f04d43a64025e72c09f	SHA256	Magniber JavaScript files
82fcea3c48509a1724c0a6ded9e3d3cab775a86588119c35b79355105bd828c4	SHA256	Magniber JavaScript files
e993e4ddd05007e62e6e2d00e70927933446ff4bcae2b559bb6be3bc5e4ad2d8	SHA256	Magniber JavaScript files
5b513dfd8f94f9b6e962eb691caa56d52ab4453369108ae3b572e2ee7f9b555d	SHA256	Magniber JavaScript files
d2d3fbfa73dfeb73a6f5c59fefab8dd99dcff58cefeb0d3b3b1c1a8854178933	SHA256	Magniber JavaScript files
d80d90ef631bb60b773bf1211f3c53c1cac043674c85eb65dbc457656ba5d4cc	SHA256	Magniber JavaScript files
757cd5b65155cd115b71021685fcc52a42ee80aca247ea68f41aa0d82dc20fc0	SHA256	Magniber JavaScript files
bba85d79db69db1b638e24e0a426ccccdc5c95875b8c3a26aa959cce3f6c8575	SHA256	Magniber JavaScript files
beb5e1c5ba835f29e272b2942b27b63f6f15647f3da51754fcf53c277e0eccf7	SHA256	Magniber JavaScript files
f41ec94f9d0c7480df2196b3fc5493599d50de222d2c903b173db3e7caff8747	SHA256	Magniber JavaScript files
397aa7bcc4a574dc30f0a491e03be15da55fa898624c7b15d0197e72802d048d	SHA256	Magniber JavaScript files
6b18a287aa2c170605409a4675fd600d0597623d174445aaea5a2279bee0c145	SHA256	Magniber JavaScript files
46d8d6230083254fa324299fc609125ee404e4bbdd3936ddc0235ae21479b655	SHA256	Magniber JavaScript files
e8663c5c28d8591f06eb7995e0f22b7ae7909f9431786f8557f2c081e0e79fad	SHA256	Magniber JavaScript files
d3f626d3e533f3b4aa0599c231210d53f709c46f0cfc3d28f0303df544a39b1b	SHA256	Magniber JavaScript files
814061567356daf6306eb673cfb97cab264c798320bf1b432d396b66393adf83	SHA256	Magniber JavaScript files
2c93879d024238d23270fab734a5ba530bfba2d35b44d265c8be3c93ff8cf463	SHA256	Magniber JavaScript files
3055baf30466f1c0f4cd5b78d05fe32ef7fd406dead3ecfcbdef464fdee551b8	SHA256	Magniber JavaScript files
568e1e3d55a6146f0f899159c3a5183362b8b13304109b49f7394a9fe8c69ea7	SHA256	Magniber JavaScript files
932d2330dc3c1366a8e956183858246c4052027cae1590d2211186be648fdcf4	SHA256	Magniber JavaScript files
dfabd6462ab2ecb9fb0cea7caa257841a751c1e91118168ef5a082cf8a25210f	SHA256	Magniber JavaScript files
fbd69303e6255aae830daba957c8ef62eb6d23340274eb8058826a08e82773db	SHA256	Magniber JavaScript files
123d7744a407af376b4ee4402ff8bee588b40540bcfba22fb64768d1de8c1861	SHA256	Magniber JavaScript files
totwo[.]pw	Domain	Magniber Domain
ittakes[.]fun	Domain	Magniber Domain
catat[.]site	Domain	Magniber Domain
tinpick[.]online	Domain	Magniber Domain
pirlay[.]fun	Domain	Magniber Domain
buyaims[.]online	Domain	Magniber Domain
orhung[.]space	Domain	Magniber Domain
actsred[.]site	Domain	Magniber Domain

Subscribe to the Blog

Receive news and RH‑ISAC updates for cybersecurity practitioners from retail, hospitality, and other customer-facing companies, straight to your inbox.

Subscribe Now

Iranian TA455 Initiates Dream Job Campaign to Target Aviation and Other Critical Industries with Malware

Executive Summary Researchers from ClearSky Cyber Security has uncovered a new cyber espionage campaign attributed to TA455, a subgroup of the Iranian cyber threat actor known

Midnight Blizzard Conducts Large-Scale Spear-Phishing Campaign Utilizing RDP Files

Summary Since October 22, 2024, Microsoft Threat Intelligence has observed recorded activity of the Russian threat actor known as Midnight Blizzard conducting a sophisticated spear-phishing campaign aimed

Infostealer Infection Results in One of the Largest Retail Breach in History

Summary A significant data breach involving Hot Topic, Torrid, and Box Lunch, advertised by the threat actor Satanic, has reportedly exposed the personal data of

Magniber Ransomware Campaign Targets Home Users using JavaScript

A new campaign is targeting home users using impersonated software updates leveraging JavaScript to deliver the Magniber Ransomware.

Context

Technical Details

Mitigation Options

IOCs

Subscribe to the Blog

More Recent Blog Posts

Iranian TA455 Initiates Dream Job Campaign to Target Aviation and Other Critical Industries with Malware

Midnight Blizzard Conducts Large-Scale Spear-Phishing Campaign Utilizing RDP Files

Infostealer Infection Results in One of the Largest Retail Breach in History